posted
16/01/10
By Fredrik "DXter" Jonsson
Today, me and Dalle have had an entire day of coding, here at my place in Västerås. Dalle arrived this morning and we have been working all day with some new stuff in PKI ToolBox. Two new tools that are soon done:
A graphical, complete and user friendly ADCS Backup & Restore Tool
Since the integrated graphical backup and restore wizard in Active Directory Certificate Services can NOT backup the CA configuration or the CA Policy, we have decided to create our own, easy to use, backup and restore tool that can do a complete backup and restore of a Active Directory Certificate Services. Of course, you can select exactly what you want to backup or not if you don’t want everything. The cool thing with this tool is that even it is by definition "a “third party tool”, it is still using certutil behind the scenes, so it is still doing backup and restore according to Microsoft’s best practices. 
A Smart Card Import Tool
We are working on a graphical user interface for imports of PFX/P12 files to smart cards. The tool has a built in ability to do necessary CSP configuration to enable or disable imports to smartcards and the tool also automatically checks if CSP configurations are necessary and if you have privileges to do the import. We are primary coding against the Base CSP so imports to any mini driver based smartcard should work out of the box without any reconfiguration. You want to use another CSP? Hey man, its a PowerShell file (in other words, a text file), just edit it! Since all the tools in the PKI ToolBox are licensed under GPL v2, we even encourage modifications and redistribution of our PowerShell code. 
Stay tuned!
// Fredrik “DXter” Jonsson
posted
24/10/09
By Fredrik "DXter" Jonsson
In my last post Creating your own code signing certificate on a smartcard without an internal PKI, I showed the process to create a self signed code signing certificate on a smartcard. Since PowerShell has the ability to check signatures of PowerShell files before they are executed, signed PowerShell files are preferred for obvious security reasons. 
First we can check what code signing certificates we have using the PowerShell command:
Get-ChildItem -Path cert:\CurrentUser\my –CodeSigningCert
which in my case gives the following output:
I see the code signing certificate that I have to sign our tools for PKI ToolBox. This certificate is located on a Gemalto .NET smartcard.
Now we can build a code signing script using the PowerShell cmd-let Set-AuthenticodeSignature. 
The following code is the actual PowerShell signing script that we use to sign our tools in the PKI ToolBox:
$cert=Get-ChildItem -Path cert:\CurrentUser\My\F1BF8F3ABBD6295D77C8D4BD6FEEDC19E32A9A74
$cue=Get-ChildItem .\cue
Set-Location .\cue
Set-AuthenticodeSignature -FilePath $cue -certificate $cert -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"
Set-Location ..
1. The first thing we do is to create a folder called cue in the same location that the script is located. In this folder we put our PowerShell files that will be signed.
2. We specify a variable called $cert that is our code signing certificate. The reason I am not using the flag –CodeSigningCert when i call Get-ChildItem is because I want to be specific about which exact certificate we want to use for our digital signature, using the signing certificates exact thumbprint.
3. We create a variable called $cue that is equal to all objects in the cue folder. The reason we don’t want to use a hard coded reference to a target file is because the signature for the signing script itself will be broken if we modify the script and specify another file.
4. We jump into the folder cue and try to get all child objects in the current cue folder, resulting back in a list of PowerShell files that will be signed by our script. Pretty cool huh?
5. The cmd-let Set-AuthenticodeSignature is signing all our files in the cue folder with our specified certificate on our smartcard (the script is prompting for the user for PIN to the smartcard). Since the timestamp on the signed PowerShell file is the actual time of the signing computer, this may not be so reliable to decide the actual singing time. Therefore we also include a countersignature from VeriSign’s timestamp server with the flag –TimeStampServer “http://timestamp.verisign.com/scripts/timstamp.dll” to convince our users that the timestamp is reliable.
Now, lets look at the result of a signed PowerShell file:
First we see that we have a new tab under the files properties, called “Digital Signatures”
If we look at the details, we se that our digital signature is OK and that VeriSign has confirmed our signature date and time.
A video of this is already done by me and Dalle when we visited Microsoft last Friday to record our demo of PKI ToolBox for TechNet Edge. The video will be posted on http://edge.technet.com in the near future.
// Fredrik ”DXter” Jonsson
posted
16/10/09
By Fredrik Wall
My favorite tool for the moment are Primal Forms.
But I have been using the Community edition and
thought that some of the odd stuff in the editor
was because of early in the development.
Yesterday I went to the site to look for some more
information and learned that the lack of copy/paste
was because of the community version. I thought that
the community version was a full version tool and not
like a shareware tool with limited functions if I didn’t pay.
My mainly usage for this tool are an
Open Source project (http://www.pkitoolbox.com)
based on Windows Forms.
So a free tool was great. Now I have to pay like 149 dollar
for Primal Forms 2009 to have basic functions plus some extra
features.
BUT I most say that this tool is one of the best free tools
despite the limitations that I didn’t know of until yesterday
posted
15/10/09
By Fredrik Wall
Idag blir det en tidig morgon och en sen kväll.
Med mycket PowerShell och mycket deployment.
PowerShell nu och i kväll.
Deployment under dagen.
I morgon är det en hel dag inbokad för PKI Toolboxen.
Först ska jag och DXter till Microsoft Sverige HQ för intervjuv
och demo. Sedan är det PKI Toolbox team möte på
Riverpoint HQ
posted
05/10/09
By Fredrik Wall
The CRL Cache Tool v1.1 reached RTM this morning
Swedish time.
New features are:
Help
Behind the scenes:
Every feature now has it’s own PowerShell function.
The forms was made with SAPIEN Technologies PrimalForms
(Community Edition) v1.0.6.0 instead of v1.0.3.0.
View:
Delete:
posted
04/10/09
By Fredrik Wall
We just released SCRoots tool v1.1 RTM.
http://www.pkitoolbox.com/+announcement/3957
New features:
Import
Help
Behind the scenes:
Every feature now has an own PowerShell function.
The forms was made with SAPIEN Technologies PrimalForms
(Community Edition) v1.0.6.0 instead of v1.0.3.0.
Thanks to:
Christoffer Andersson (Active Directory MVP) and
Anders Bengtsson (SCOM MVP) for their help
with suggestions and testing.
posted
17/09/09
By Fredrik Wall
We are currently working on some new tools for
the PKI Toolbox and there are currently 3 new news for the project.
- Own domain name
We got a domain name for the PKI Toolbox project.
http://www.pkitoolbox.com
- Invitation to Microsoft Sweden
Me and DXter have been invited to Microsoft TechNet Sweden
to record an interview and to demonstrate the PKI Toolbox.
So we will release some new tools before that meeting,
6th of October.
The recording will be on TechNet Edge later on.
http://edge.technet.com
- Live presentation
On the 13th of October you can see The PKI Toolbox on
a live presentation by DXter on Dataföreningen Sveriges
meeting about PKI i teori och praktik. A 2 hour presentation
about PKI by DXter.
All announcements can be found here,
www.pkitoolbox.com/+announcements
And the downloads can be found here,
www.pkitoolbox.com/+download
posted
08/09/09
By Fredrik Wall
Me and my friend DXter have been working
on a project for a while now.
The PKI Toolbox
An open source and graphical toolbox to mange PKI,
certificate and smartcard related operations in Windows.
All the tools are written in PowerShell.
The site for the tool can be found on launchpad.net.
We will publish the first 2 tools in 24-48 hours.
And we are currently working on 3 more tools.
Please check out the site here.
